How to Dynamically Connect to a Database Using an Encrypted Password

Description

Connecting to databases using dynamic connection strings can be done securely.

An application that does not use the dynamic named connection string mechanism can still dynamically connect to database. It is imperative, however, that passwords not be included on A5W pages, especially not in the clear or in weakly obscured form. Instead, truly encrypted passwords should be loaded from a database or from a file that is not below the web root, and decrypted at the last possible moment, typically as part of the SQL::Connection::Open() call.

For example, suppose you have encrypted your passwords with a5_encrypt_string() and stored them in a DBF table, using an encryption key you store in your A5I file. On the A5W page where you connect to the database, assuming that the string variable Encryption_Key has already been set, you might have code that loads the string variables User_Name and Encrypted_Password from the DBF file. Then you would run code like the following to create and open your connection string: